Phishing fraudsters are preying on the supposed convenience of a password-streamlining platform to steal victims' confidential online credentials.
The cybercrime campaign targets OpenID, a platform that lets users enter one password for all their online accounts, such as Google, AOL, Facebook and Twitter. As researchers at Barracuda Labs discovered, the all-in-one convenience of OpenID opens itself up to scammers — why hijack one of your passwords when a fake OpenID login page lets them steal all of them?
The emails that kick off the scam appear to come from real estate companies such as Re/Max, with a subject line reading "Properties for sale," and a message inviting you to "kindly check out the new beautiful and cheap properties for sale around your area. Click on the link below."
[Password Overload: How Can Anyone Remember Them All?]
The "link below" is, of course, the problem: Clicking it redirects your browser to a rigged website, which then serves up the fraudulent OpenID sign-in window. As soon as you enter your email address and password, they are transmitted, in plain text, right to the perpetrators, who can use the information in any number of ways, from identity theft to financial fraud.
Barracuda Labs researchers acknowledged the "excellent" convenience of the legitimate OpenID platform, but warned, "You need to be very observant and make certain that your credentials are being requested using a secure connection to the provider's servers."
As with all websites and online accounts, never enter your credentials if the site appears suspicious, or you were redirected to it from another source. In most browsers, the URL bar will show a lock icon to indicate it is encrypted and not a spoofed or harmful site. As a rule of thumb, if you aren't sure about a site's legitimacy, close it.